Use client certificates to call Web Services for identity authentication (zz)

Source: Internet
Author: User
Tags asp net knowledge base pfx file
Use client certificates to call Web Services for Identity Authentication in ASP. NET web applications ZZ

Summary
This article discusses how to pass client certificates from ASP. NET web applications to Web Services for authentication.

Note: The steps in this document also apply to the use of the httpwebrequest class to execute direct HTTP requests (if Web services are not called ).
Back to Top

Introduction
Generally, a Web Service must perform authentication on the application that calls the web service. The Web Service must perform authentication on the called application before authorization can be performed. One of the authentication technologies is to require applications that call the Web service to provide client certificates.

If an ASP. NET web application attempts to call a web service that uses certificate authentication, you may receive an "Access Denied" error message. If the console application or Microsoft Windows Forms Application calls the same web service, no error message is received.

This behavior occurs because the computer maintains two different types of certificate storage: • Local Machine storage: ASP. NET web applications search in this storage to locate the client certificate.
• Local User storage: interactive user applications search for such storage to locate client certificates.
Generally, if a client certificate is installed in an interactive user application, the client certificate is installed in the local user storage. Therefore, client certificates can be used in interactive user applications. However, client certificates are not used in ASP. NET web applications.
Back to Top

More information
To enable ASP. NET web applications to use client certificates, you must install client certificates in Local Machine storage. If you install the client certificate in the Local Machine storage, the client certificate is only available to the user account in the Administrator group and the user who installs the client certificate. Therefore, you must authorize the user account used to run the ASP. NET web application to access the client certificate.

Note: You must install Microsoft. NET Framework 1.1 Service Pack 1 (SP1) to use client certificates in Local Machine storage.

In addition, when an ASP. NET web application calls a web service, the application must export the client certificate from the certificate store and add it to the Web service call.
Back to Top

Install the client certificate and grant access permissions to the user account
To install the client certificate and authorize the user account used to run the ASP. NET web application to access the client certificate, perform the following steps.
Step 1: Install the client certificate in the Local Machine Storage
If you are in PKCS #12 (. if the pfx file contains a client certificate, you can use the Microsoft Windows HTTP service certificate Configuration tool (winhttpcertcmd.exe) to install the client certificate and authorize other user accounts (such as network service accounts, enable access to the client certificate. To do this, follow these steps: 1. download and install the Microsoft Windows HTTP service certificate Configuration tool. To obtain this tool, visit the following Microsoft Website:
Http://www.microsoft.com/downloads/details.aspx? Familyid = c42e27ac-3409-40e9-8667-c748e422833f (http://www.microsoft.com/downloads/details.aspx? Familyid = c42e27ac-3409-40e9-8667-c748e422833f)
2. Run the following command at the command prompt:
Winhttpcertcmd.exe-I pfxfile-C local_machinemy-P Password
Note: pfxfile is the name of the. pfx file. Password is the password of the. pfx file. If the file does not require a password, the-p parameter is omitted.

Generally, the winhttpcertcmd.exe file is located in the following folder:
C: Program fileswindows resource kitstools
If you do not have permission to access. pfx file, and you have installed Microsoft Certificate Service on a computer running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server, you can submit a request, and install the client certificate directly in the Local Machine storage. To do this, follow these steps: 1. log on to the client using a user account with Administrator creden.
2. Access the Certificate Authority (CA) website in Microsoft Internet Explorer. For example, if the CA server name is caserver, visit the following website:
Http: // caserver/certsrv
3. Under "select a task", click "apply for a certificate" and then click "apply for Advanced Certificate ".
4. Click "Create and submit an application to this ca ".
5. In the "Advanced Certificate Application" form, enter your name and email address.
6. In the "required certificate type" section, click "client authentication certificate ".
7. In the key options section, click to select the Save Certificate in Local Computer Storage check box, and then click Submit ".

Pay attention to the Application ID of the client certificate.
8. In the "potential script conflicts" dialog box, click "yes ".
9. After the CA issues the client certificate, click "home page", and then click "view the pending certificate application status ".
10. Under select the certificate application you want to view, click the certificate application you submitted in Step 7.
11. Click "install this Certificate", and then click "yes" in the "potential script conflict" dialog box ".

Step 2: configure access permissions for client certificates
In this step, you must grant the ASP. Net account the permission to access the client certificate stored in the Local Machine storage. In Windows Server 2003, a network service account is the default account for running Web applications. Therefore, you must authorize the network service account to access the certificate. If you have configured a user-defined account to run ASP. NET, you must grant access permissions to the User-Defined account.

Note: in Microsoft Internet Information Server (IIS) 5.0, ASP. NET runs under the ASPNET account rather than the network service account. Therefore, on a computer running IIS 5.0, you must grant permissions to the ASPNET account.

To grant access permissions to a specific user account, run the following command at a command prompt:
Winhttpcertcmd.exe-g-C local_machinemy-s "issuedtoname"-a "accountname"
Note: accountname is the account name or domain account name of the local computer. Issuedtoname is the company name or domain name of the client certificate issuing object. This command contains a case-insensitive search string. Search for the enumerated certificate that contains the string in the first topic name.

The following command line is an example of how to authorize a network service account to access the client certificate in Microsoft Internet Information Service (IIS) 6.0:
Winhttpcertcmd.exe-g-C local_machinemy-s "issuedtoname"-a "nt authoritynetworkservice"
The following command line command is an example of how to authorize an asp net account in IIS 5.0 to access the client certificate:
Winhttpcertcmd.exe-g-C local_machinemy-s "issuedtoname"-a "ASPnet"
Note: If you use the Windows HTTP service certificate Configuration tool, you can combine the process of importing a client certificate with the process of configuring access permissions for the client certificate into one step. For example, the following command line command will execute these two processes:
Winhttpcertcmd.exe-I pfxfile-C local_machinemy-a "accountname"
Step 3: copy the client certificate from local user storage to Local Machine Storage
If an interactive application (such as a Windows form application) or command line application can access the client certificate, the client certificate is already stored in the local user store. However, if a Service Application (such as an ASP. NET web application) cannot access the same client certificate, the client certificate may not be stored in the Local Machine storage.

This step describes how to use the certificate export Wizard to copy client certificates in local user storage to Local Machine storage.

Note: If the client certificate is already stored on the local machine, or if you can install the client certificate directly on the local machine storage as described in step 1, go to step 4. However, if you use step 3, you must return to step 2 to grant access to the client certificate.

To copy the client certificate to Local Machine storage, perform the following steps: 1. Click Start, click Run, type MMC, and click OK ".
2. On the File menu, click Add/delete snap-in, and then click Add ".
3. In the "add independent management unit" dialog box, click "certificate", "add", "Computer Account", and "Next", and then click "finish ".
4. In the "add independent management unit" dialog box, click "certificate", "add", "My User Account", and then click "finish ".
5. Click Close and then click OK ".
6. to export the client certificate from the local user storage, perform the following steps: A. Expand "Certificate-current user" and "individual", and then click "certificate ".
B. Right-click the client certificate, click "all tasks", "Export", and then click "Next ".
C. If the "yes, export private key" option is unavailable, ASP. NET web applications cannot use this client certificate. You must obtain other client certificates. To do this, follow the instructions in steps 1 and 2. Otherwise, click "Yes, export private key", and then click "Next" twice ".
D. In the "password" and "Confirm Password" boxes, type the password and click "Next ".
E. In the "file name" box, type the file name. Click "Next", and then click "finish ".
F. In the certificate export wizard dialog box, click OK ".

7. to import the client certificate to the local machine storage, perform the following steps: A. Expand "Certificate (Local Computer)" and then expand "personal ".
B. Right-click "certificate", click "all tasks", "import", and then click "Next ".
C. In the "file name" box, type the file name you specified in step 6e, and click "Next ".
D. In the "password" box, type the password you specified in step 6d, and then click "Next" twice ".
E. Click Finish, and then click OK ".

Step 4: Install the CA root certificate
If the client certificate has been signed by an external Ca (such as Verisign), or if you have installed the CA root certificate, skip step 4.

By default, Windows has preinstalled many external CA root certificates in a trusted root certificate store.
Verify that the root certificate is installed
To verify that the CA root certificate is installed, perform the following steps: 1. Click Start, click Run, type MMC, and click OK ".
2. On the File menu, click Add/delete snap-in, and then click Add ".
3. In the "add independent management unit" dialog box, click "certificate", "add", "Computer Account", and "Next", and then click "finish ".
4. Click Close and then click OK ".
5. Expand certificates (Local Computer), Trusted Root Certificate Authority, and then click certificates ".
6. In the right pane, confirm that the CA root certificate to be used is listed.

Install the root certificate
If the CA root certificate to be used is not listed, you must install this root certificate. If you want to use the CA root certificate issued in the certificate file (such. CER file ,. der file, or. pfx file), perform the following steps: 1. expand certificate (Local Computer), right-click Trusted Root Certificate Authority, click all tasks, and then click Import ".
2. In the "Certificate import wizard" dialog box, click "Next", type the name of the Certificate file in the "file name" box, and then click "Next" twice ".
3. Click Finish, and then click OK ".

Apply for root certificate
If the CA to be used is included in the Microsoft Certificate Service Installation database, you can apply for a root certificate. To do this, follow these steps: 1. Access the CA website in Internet Explorer. For example, if the CA server name is caserver, visit the following website:
Http: // caserver/certsrv
2. Click Download a CA certificate, certificate chain or CRL, and then click Download CA certificate ".
3. In the "File Download" dialog box, click "save ".
4. In the "Save as" dialog box, enter the location where you want to save the Certificate file, and then click "save ".
5. After saving the root certificate file, use the steps in the "Install Root Certificate" section to install the Certificate file in the Trusted Root Certificate Authority storage.

Back to Top

Call Web Services
After you install the client certificate in the Local Machine storage or local user storage, you can access the client certificate from the ASP. NET web application to call the web service. For Windows form applications or ASP. NET web applications, the steps for accessing client certificates are the same.

If you are using. NET Framework 1.1, you must first export the key to a DER encoding file. The reason why the key must be exported is that the system. Security. cryptography. x509certificates. x509certificate class does not contain methods that allow direct access to certificate details in the certificate store. Therefore, the application must read the certificate details from the DER encoding file.

Note: Web Services enhancements 2.0 for Microsoft. NET (WSE) provides an application method for retrieving certificate details directly from the certificate store.

The following C # sample code shows how to call web services by passing client certificates for identity authentication. Using system. Security. cryptography. x509certificates;
...

Public void callwebservice ()
{
// Todo: replace <C: wsclientcert. Cer> with the path of your certificate file.
String certpath = @ "<C: wsclientcert. Cer> ";

// Create an instance of the Web Service proxy.
Websvc. Math mathservice = new websvc. Math ();
// Todo: replace Mathservice. url = @ "

// Create an x509certificate object from the information
// In the certificate export file, and then add the certificate to
// Clientcertificates collection of the Web Service proxy.
Mathservice. clientcertificates. Add (
X509certificate. createfromcertfile (certpath ));

Long lngresult = 0;
Try
{
Lngresult = mathservice. Add (int32.parse (operand1.text ),
Int32.parse (operand2.text ));
String result = lngresult. tostring ();
}
Catch (exception ex)
{
If (ex is webexception)
{
Webexception we = ex as webexception;
Webresponse = We. response;
Throw new exception ("exception calling method." + ex. Message );
}
}
}
Back to Top

Web Services enhancements 2.0 for Microsoft. NET
Web Services enhancements 2.0 for Microsoft. NET (WSE) is a Microsoft. Net class library that uses the latest web service protocol to create Web Services. These protocols include: • WS-Security
• WS-secureconversation
• WS-Trust
• WS-Policy
• WS-securityPolicy
• WS-Addressing
• WS-Attachments
Note: WSE is not included as part of the. NET Framework. To obtain WSE, visit the following Microsoft Website:
Http://www.microsoft.com/downloads/details.aspx? Familyid = FC5F06C5-821F-41D3-A4FE-6C7B56423841 (http://www.microsoft.com/downloads/details.aspx? Familyid = FC5F06C5-821F-41D3-A4FE-6C7B56423841)
You do not need to use any of these protocols to access web services that require client certificate authentication. However, you may want to use the Microsoft. Web. services2.security. X509 class. The Microsoft. Web. services2.security. X509 class contains methods for directly accessing client certificates in the certificate store. If you use these methods, the certificate will not be exported to the file.

The following C # sample code shows how to find the first certificate named securemathclient in the Local Machine storage. Then, the sample code uses this certificate to call the add method of the math web service. The math web service requires a client certificate ....
// Todo: replace <securemathclient> with the name of the client certificate.
String certname = "<securemathclient> ";

// WSE 2.0 Method
X509certificatestore store =
X509certificatestore. localmachinestore (x509certificatestore. mystore );
Store. openread ();
// Look for the first certificate that is named securemathclient.
// Look in the Local Machine store.
X509certificatecollection Col =
(X509certificatecollection) store. findcertificatebysubjectstring (certname );
X509certificate Cert = NULL;
Try
{

// This sample obtains the first matching certificate from the collection.
CERT = Col [0];
}
Catch (exception ex)
{
Throw new exception ("certificate not found! ");
}

// Create an instance of the Web Service proxy.
Math mathservice = new math ();
// Todo: replace Mathservice. url = @ "Mathservice. clientcertificates. Add (CERT );

Long lngresult = 0;
Try
{
Lngresult = mathservice. Add (int32.parse (operand1.text ),
Int32.parse (operand2.text ));
Result. Text = lngresult. tostring ();
}
Catch (exception ex)
{
If (ex is webexception)
{
Webexception we = ex as webexception;
Webresponse = We. response;
Throw new exception ("exception calling method." + ex. Message );
}
}

Reference
For more information about the system. Security. cryptography. x509certificates. x509certificate class, visit the following Microsoft Developer Network (msdn) Website:
Http://msdn.microsoft.com/library/default.asp? Url =/library/en-US/cpref/html/frlrfsystemsecuritycryptographyx509certificatesx509certificateclasstopic. asp (http://msdn.microsoft.com/library/default.asp? Url =/library/en-US/cpref/html/frlrfsystemsecuritycryptographyx509certificatesx509certificateclasstopic. asp)
For more information about how to use ASP. NET web applications to call websites with enhanced security, click the following article number to view the article in the Microsoft Knowledge Base:
817854 (http://support.microsoft.com/kb/817854/) fix: ASP. NET web applications cannot send client certificates to secure Web Sites

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.